On April 26, 2024, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a final rule that modifies the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) regarding protected health information (“PHI”) concerning reproductive health. We previously covered the proposed rule (hereinafter, “the NPRM”), which was published on April 17, 2023. The final rule aligns closely with the NPRM.

OCR noted that the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization (holding that there is no constitutional right to abortion) created a legal landscape that “increase[s] the potential that use and disclosure of PHI about an individual’s reproductive health will undermine access to and the quality of health care generally.” According to OCR, the final rule aims to “continue to protect privacy in a manner that promotes trust between individuals and health care providers and advances access to, and improves the quality of, health care” by “limit[ing] the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual’s PHI about reproductive health care for certain non-health care purposes.”

The final rule prohibits a regulated entity from using or disclosing an individual’s PHI:

  • to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided; and
  • to identify an individual, health care provider, or other person to initiate an investigation or proceeding against that person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

“Lawful under the circumstances in which it is provided” means that the reproductive health care is either:

  • lawful under the circumstances in which the health care is provided and in the state in which it is provided; or
  • protected, required, or authorized by Federal law, including the United States Constitution, regardless of the state in which such health care is provided.

The final rule includes a presumption that the reproductive health care provided by a person other than the regulated entity receiving the request was lawful. The final rule also imposes a new requirement that regulated entities must obtain an attestation from the requestor that a requested use or disclosure of PHI potentially related to reproductive health care is not for a prohibited purpose. OCR plans to publish a model attestation prior to the compliance date of the final rule.

The final rule does not prevent the use or disclosure of PHI for purposes otherwise permitted under the Privacy Rule. Notably, the final rule also does not prohibit the use or disclosure of PHI to investigate or impose liability on persons in situations involving reproductive health care that was unlawful when it was provided.

The final rule also modifies the Privacy Rule in the following ways:

  • Clarifying and adopting new definitions: The final rule clarifies that “person” in the HIPAA Rules means “natural person” (meaning a person who is born alive). In a slight departure from the NPRM, the final rule defines “public health,” in the context of surveillance, investigation, and intervention, as “population-level activities to prevent disease and promote health of populations.” Public health surveillance, investigation, and intervention do not include efforts to conduct criminal, civil, and administrative investigations or impose criminal, civil, nor administrative liability for the mere act of seeking, obtaining, providing, or facilitating health care. This revision was intended to clarify that the final rule does not prevent reporting of public health information on communicable diseases. The definition of “reproductive health care” is expanded from that proposed in the NPRM to mean health care “that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”
  • Personal representatives: The final rule clarifies that a personal representative’s provision or facilitation of reproductive health care at the request of the individual does not constitute the basis for a reasonable belief that the personal representative is subjecting the individual to abuse. This clarification responds to a concern that a regulated entity that disagrees with the reproductive services sought by the personal representative could cease to recognize that person as an individual’s personal representative by asserting abuse on the part of the personal representative.
  • Modifications of Notice of Privacy Practices (“NPP”): Regulated entities must modify their NPPs to inform individuals that their PHI may not be used or disclosed for a purpose prohibited under this final rule.

The final rule goes into effect on June 25, 2024, and regulated entities must implement compliance measures by December 23, 2024. Regulated entities have until February 16, 2026, to comply with the provisions related to NPPs.

Photo of Aubrey Stoddard Aubrey Stoddard

Aubrey Stoddard is an associate in the firm’s Washington, DC office, where she is a member of the Health Care Practice Group. Aubrey advises pharmaceutical, biotechnology, and medical device clients on a broad range of policy and regulatory issues.

Aubrey also maintains an…

Aubrey Stoddard is an associate in the firm’s Washington, DC office, where she is a member of the Health Care Practice Group. Aubrey advises pharmaceutical, biotechnology, and medical device clients on a broad range of policy and regulatory issues.

Aubrey also maintains an active pro bono practice centered on reproductive health.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.